Interfaces
'PHYSICAL INTERFACES:' Device -> Interfaces -> Ethernet The firewall has the ability to mix and match these interface types on a single device '>TAP MODE interface' - Listen only, no traffic blocking. *Firewall must be connected to a core switch's span port or mirror port to identify applications running on the network. **Requires no changes to the existing network design **''SPAN port'' (switched port analyer) or (Port Mirroring) = used on a network switch to send a copy of network packets seen on one switch port (or entire vlan) to a network monitoring connection on another switch port. *Must be assigned to a security zone for ACC and reporting capablities. **To allow logging, policies will be configured with both the source and destination zones set to the zone containing the tap interface. *IF the SPAN PORT passes encrypted traffic, the tap interfaces only support SSL inbound decryption. **Must install internal server certificate and add a defined decryption policy to decrypt traffic. '>VIRTUAL WIRE interface - '''Bump in the wire, binds 2 interfaces together with no MAC or IP assigned no need to re-address the network. *Firewall can be inserted into an existing topology without any reallocation of the network addresses or redesign on the network toplogy. *Can be any combo (copper-copper, fiber-fiber, copper-fiber) *Supports App-ID, Decryption, NAT, Content-ID, and User-ID *Does NOT support VPNs, routing, or device management. *Defined in 2 steps: Must create a ''vwire object and configure the vwire interfaces that the objects connect. 'VWIRE Subinterfaces ' *Behave like multiple physical ports *designed to allow classification of traffic into different zones and virtual systems without requiring additional physical interfaces. *virtual wire object is inherited from the parent interface. *Subinterface and parent interface can be configured on different zones. *Subinterfaces allow you to separate and classify traffic into different zones by either VLAN tags or VLAN tags + IP classifiers (address, range, subnets) *IP classifiers on Untagged traffic = create a subinterface with VLAN tag 0, then define the subinterface's IP classifiers to manage the untagged traffic. 1. VWire object: Network -> Virtual Wire -> Add *''Interfaces:'' Select 2 eth interfaces. They are only listed here if they have the vwire interface type and have not been assigned to another vwire already. *''Tags Allowed'': Able to block or allow traffic based on VLAN tag values. **Tag value of 0 = untagged traffic; Tag value of 0-4094 = all traffic **multiple ranges must be separated by commas. **Traffic with excluded tag value will drop. **for''' Subinterfaces': Tag Allowed list will cause all traffic with the listed tags to be classified to the Parent vwire. Vwire subinterfaces must utilize tags that do no exist in the parent's Tag Allowed list. *''Multicase Firewall: Must select "Multicast Firewalling" if wanting to apply security policies to multicast traffic. If not enabled, multicast traffic is forwarded across the vwire. *''Link State Pass Through'': If you want to bring down the other port in the vwire when a down list state is detected. If not selected, link status is not propagated across the vwire. 2. vwire interfaces: Network -> Interfaces -> Ethernet tab *Specify the vwire object and security zone assigned since traffic will flow between vwire interfaces. 3. Security Policy: Policies -> Security -> Add *Confirm there is a rule from Trust to Untrust that permits all traffic. (any/any/any/allow). *If you have inbound connections: Need a Untrust to Trust (any/any/any/allow) *Commit '>LAYER 2 interface '- The PAN provides switching between 2 or more networks. *All protection and decryption features can be used for Trunk (VLAN) interfaces. *Supports 802.1Q VLANs but not STP (spanning tree protocol). *Each group interface must be assigned to a VLAN object and addition subinterfaces can be defined if needed. *Layer 3 support, for VLAN switching, can be employed with VLAN interfaces *Each Layer 2 interface that's defined on the firewall must be associated with a VLAN object if Layer 2 switching is required to be performed by the firewall. **'VLAN object '= a layer 2 switch object that allows multiple layer 2 physical interfaces and subinterfaces to be associated into a single switching domain. ***Multiple Layer 2 interfaces can be assigned to a single VLAN object, but each layer 2 interface or subinterface can belong to only 1 VLAN object. ***VLAN objects can switch tagged and untagged traffic. 'LAYER 2 Subinterface' *Behave like traditional switches. *Can have virtual interfaces on each of the VLANs on the trunk. *Any untagged traffic will be processed by the base layer 2 physical interface. '>LAYER 3 interface' *The firewall can take the place of any current enterprise firewall deployment *Layer 3 services include: Virtual Routers, VPN and Routing protocols. *Must assign an IP address to each interface, zone, and virtual router to route traffic at minimum *All layer 3 interfaces in a specific virtual router will share the same routing table. *Interfaces can be configured as a DHCP client if required to have dynamically assigned IP addresses. If adding VLAN tag to Layer 3 interface, must create a subinterface to apply a VLAN tag (1 subinterface per VLAN) 'LAYER 3 Subinterface' *Most common when the firewall will be responsible for routing between the tagged VLANs. *The configuration is much the same as Layer 2 interfaces with the addition of virtual router and IP address requirements. 'LAYER 3 UNTAGGED Subinterface' *Untagged subinterface option must be enabled o nthe parent Layer 3 interface. *They're used in multi-tenant environments where traffic from reach tenant must leave the firewall without VLAN tags. In this case, all traffic must be configured for SOURCE NAT using the IP address of the UNTAGGED Subinterface. '>HA-PAIR (High Availability)' *You must configure 2 traffic ports as the HA ports on the PA-200 and PA-500 only. 'LOGICAL INTERFACES SUPPORTED:' Network -> Interfaces -> Add Subinterface 'Subinterfaces (802.1Q):' *Virtual wire subinterfaces are designed to allow classification of traffic into different zones and virtual systems without requiring additional physical interfaces. Common in environments where the firewall needs to be transparent to neighboring networking devices. *L2 subinterfaces behave like tradtional switches *L3 subinterfaces behave like routers on a VLAN *''IP Classifiers can be used to manage untagged traffic. Create a VLAN tag 0 and then define the subinterface's classifiers like (address, range, or subnet). *up to 4094 VLAN supported per port; Max of 4094 VLAN per system Network -> Interfaces -> '''Loopback' 'Loopback interfaces' can provide in-band management, GlobalProtect Portal or Gateway functionality, and IPSec. *Behaves like a host interface and is assigned an IP address. *''/32'' netmask is required *The routing table is inherited from the virtual router to which it's assigned. Network -> Interfaces -> Tunnel 'Tunnel Interface ' is a logical L3 interface that represents a specific VPN configuration. *For IPSec or SSL VPNs *Traffic routed to this interface is tunneled according to the configuration of the IPSec VPN object associated with the tunnel interface. 'Aggregate Interfaces (802.3ad)' provide 2 key things: Increased throughput and link redundancy. Not offered on PA-200. *Up to 8 physical 1 Gig interfaces can be placed into an aggregate group. *Aggregate interface groups allow you to generate more than 1 Gbps aggregate throughput by using 802.3ad link aggregation of multiple 1 Gbps links. *Must be all the same type (like all copper or all fiber) *If using Aggregate groups, configurations are done on the Group Object and not the Aggregate Ethernet interfaces themselves. Step 1) Create the Aggregate Group Network -> Interfaces -> Ethernet -> Add Aggregate Group Step 2) Assign the interface to the group Network -> Interfaces -> Ethernet -> *Sub-interfaces must be assigned to an aggregate interface. The parent interface will not be able to join an aggregate group if it is a Layer 3 or Layer 2 with sub-interfaces. 'INTERFACE PROFILE MANAGEMENT' Network -> Network Profiles -> Interface Mgmt -> Add *Can be assigned to L3, loopback, and VLAN interfaces. *Management Profiles specifies which protocols can be used to manage the firewall, on a traffic interface (in band/data plane). *By default, any management traffic sent to or from the firewall goes through the out-of-band (control plane) management interface (MGT). A layer 3 interface can be used to source this traffic and also receive inbound management traffic. *The permitted services are: **[] Ping **[] Telnet **[] SSH **[] HTTP **[] HTTPS **[] SNMP **[] Response Pages *The Management features enabled by the profile can be restricted to specific IP address with the ''Permitted IP Address ''panel. **If configured, only the IP addresses listed can use the services selected. **If left blank, the profile allows any IP address to use the configured services.